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Abstract 



We present a logic for reasoning about licenses, which are "terms of use" for digital re- 
sources. The logic provides a language for writing both properties of licenses and specifications 
that govern a client's actions. We discuss the complexity of checking properties and specifica- 
tions written in our logic and propose a technique for verification. A key feature of our approach 
is that it is essentially parameterized by the language in which the licenses are written, provided 
that this language can be given a trace-based semantics. We consider two license languages to 
illustrate this flexibility. 

1 Introduction 

In the world of digital rights management, licenses are agreements between the distributors and 
consumers of digital resources. A license is issued by an owner to a prospective client. It states the 
exact conditions under which a particular resource may be used, including a complete description 
of how compensation may be given. Licenses can be viewed as a subset of authorization policies, 
policies that dictate what actions a system's principal can perform at any given time. Licenses are 
an essential part of any rights management system, because they tell the consumer, as well as the 
enforcement mechanism, which uses are legitimate. 

Licenses must be written in some language. Although many licenses are very simple (e.g., 
"consumer must pay a fee before each access to an on-line journal"), more complicated ones, in 
particular ones involving time, are also common (e.g., "for each month from 1/1/01 to 1/1/02 the 
mortgage requires either a $1500 payment between the first and fourth of the month or a $1525 
payment between the fourth and the fourteenth"). The language must be expressive enough to 
capture these types of licenses. Languages such as DPRL [Ramanujapuram and Ram 1998], XrML 
[ContentGuard, Inc. 2000], and ODRL [IPR Systems Pty Ltd 2001] have been developed to state 
a wide range of licenses. These languages, however, do not have formal semantics. Instead, they 
rely on intuitions behind their syntax, and on informal descriptions of expected behavior. As a 
consequence, licenses that "seem right" are enforced without anyone knowing precisely what is 
intended or exactly what is allowed. 

Gunter et al. [2001] used techniques from programming language semantics [Hoare 1985] to 
remove these ambiguities. In their approach, the meaning of a license is a set of traces. Each trace 

*This paper is essentially the same as one that appeared in the Proceedings of the 15th IEEE Computer Security 
Foundations Workshop, pp. 282-294, 2002. 



1 



represents a sequence of actions allowed by the license. A correct enforcement mechanism permits 
any sequence of action specified by the license and forbids any other. To illustrate their idea, Gunter 
et al. defined a simple language with semantics that could be used to state a number of licenses 
precisely. 

In addition to unambiguously expressing licenses, we would like to reason about them. In 
general, we are interested in two classes of questions: does a set of licenses have certain properties 
and does a client's actions with respect to a set of licenses meet particular specifications. Note that 
we make a distinction between the characteristics inherent in a set of licenses (properties, sometimes 
referred to as license properties for emphasis), and those whose truth depends on the client's actions 
(specifications, sometimes referred to as client behavior specifications for emphasis) Examples of 
properties include "a religious work may only be viewed during the hour before sunset" and "if a 
user accesses a work, then the user is obligated to pay for the access at some time." Depending on 
the licenses, each property may or may not be easy to check. Continuing the last example, an owner 
may allow a client to defer payment in so many situations that it is not clear that there will ever 
be an occasion when the client must pay. Alternatively, a license may permit free access to some 
resources, however, the license has so much "red tape" that the client cannot determine if the desired 
resource actually is free. As for specifications, examples include "the client never uses a resource 
illegally" and "the client is never obligated to pay interest on her credit card debt". The difficulty 
of specification checking is based on the licenses and the client's actions. Verifying properties and 
specifications is important, because it increases our confidence that the licenses match the informal 
requirements and that the informal requirements match the owner's intent. 

In this paper we present a logic for reasoning about licenses that provides us with a language 
in which we can state properties and specifications precisely. The logic is essentially a temporal 
logic. It allows us to make statements about issued licenses, assuming the licenses are written in 
some particular language that is distinct from our logic. For ease of exposition, we assume until 
Section 4 that licenses are written in a very simple, regular language and that the application has 
only one client and one provider. Our framework can be modified in a straightforward manner to 
reason about different license languages. It is also easy to extend the logic to multiple clients and 
providers. 

As the examples suggest, license properties and client behavior specifications typically involve 
the client's permissions and obligations to do certain actions. We take a very simple view of per- 
missions and obligations. In particular, we focus exclusively on the client's viewpoint. Inspired 
by Gunter et al. , we interpret licenses as describing a set of legal sequences of actions. A client is 
permitted to do an action if that action is part of a sequence of actions that is legal according to the 
actions she has already done and the licenses issued. If there is only one such action for a particular 
license, then the client is obligated to do that action. 

To illustrate our notions of permission and obligation, consider the mortgage example in which 
the client must pay either $1500 between the first and fourth or $1525 between the fourth and the 
fourteenth of every month from 1/1/01 to 1/1/02. For the first month, there are two legal action 
sequences. The client could pay $1500 before the fourth. Alternatively, the client could pay $1525 
between the fourth and the fourteenth. Since there is a legal action sequence in which the client pays 
before the fourth and one in which the client does not, we say that the client is permitted, but not 
obligated, to make the earlier payment. If the client doesn't make the earlier payment, then the only 
legal sequence she can be following is the second one. In this case, she is obligated to complete that 
sequence by paying $1525 before the fourteenth. 
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Why are we designing a logic for reasoning about licenses? A logic provides us with a formal 
language in which to write properties and specifications. In addition, it allows us to check in a 
provably correct way that a property or specification holds for a particular set of licenses and, in 
the case of specification, a client's behavior. We can automate the analysis, by developing model 
checking techniques. It turns out that standard model checking procedures (as given in [Clarke, 
Grumberg, and Peled 1999]) apply to our framework. These procedures can form the foundation of 
enforcement mechanisms that are well-grounded in formal methods. 

The design of our logic was strongly influenced by the work of Halpern and van der Meyden 
[2001a, 2001b] on reasoning about SPKI/SDSI. It is also reminiscent of deontic logic approaches, 
which aim at reasoning about ideal and actual behavior [Meyer and Wieringa 1993]. Deontic logic 
has been used extensively to analyze the structure of normative law and normative reasoning in law. 
(For examples, please see [Wieringa and Meyer 1993] and the references therein.) 

In the next section, we introduce our logic. Section 3 examines the complexity of checking 
that a license property or client behavior specification holds. In Section 4, we show that our logic 
can be adapted to different license languages, by replacing our regular language with a variant of 
DigitalRights [Gunter, Weeks, and Wright 2001]. We discuss related work in Section 5. Proofs of 
our technical results can be found in the appendix. 

2 The logic 

We want to reason about licenses and client's actions with respect to licenses. To do this, we in- 
troduce a logic, C hc , that allows us to talk about licenses and actions. Formulas in C hc include 
permission and obligation operators, as well as temporal operators, because we want to write for- 
mulas that represent interesting properties and specifications; the ones that state the conditions under 
which actions are permitted or obligatory. In this section, we give the syntax for our logic, followed 
by its semantics. 

2.1 Syntax 

The syntax of C hc has three categories; formulas (ip, ijj, . . . ), actions (a, . . . ), and licenses (£,... ). 
Their definitions assume a set Names of license names, a set Works of works (i.e. resources), 
and a set Devices of devices (i.e. ways to access resources). Actions are taken from a set Act = 
{render[w , d] : w <G Works, d <G Devices} U {pay[x] : i£l}U {_!_}, where _L represents the 
null or "do nothing" action. (For simplicity, we consider only render and pay actions, as was done 
in [Gunter, Weeks, and Wright 2001].) Also, we let Lie be the set of licenses I. In the following 
formal description, n £ Names and a <G Act. 

(p ::= n : t \ a \ Pa | (p± A </?2 | ""^ I Ov I ai P I f\ U^f2 

a ::= (a, n) | (a, n) 

I ::= a\h£ 2 \t \hU£ 2 

Intuitively, n : i means "the license whose legitimate action sequences are described by the regular 
expression i is being issued now and will be referred to by the name n." The primitive action (a, n) 
means "action a is performed with respect to license named n". The action (a, n) represents any 
action-name pair where the action is not a, but the license name is n. Pa indicates that the action 
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expression a is permitted. The set of formulas are closed under A, □, O an d U, which are 
well-known operators from classical and temporal logic [Goldblatt 1992]. 1 We use the standard 
abbreviations (p V ip for ->(-xp A ->ip), tp =>- tp for -up V ip, and 0</> for -iD-np. Also, we abbreviate 
the action (a, n) as a„. For instance, (renderfio, d], n) is written render„[tt), d], and (_L, n) is written 

-L«. 

We use the abbreviation 0(a, n) to stand for ->P(a, n). As we shall see later, the interpretation 
of 0(a, n) is that the client is obligated to perform action a with respect to the license named n. 

To illustrate how our logic can be used in practice, consider the following scenario. Suppose 
an owner of an on-line journal requires a fee to be paid before each access. This license i can be 
written in our logic as: 

£ = ((pay[fee](±)*render[journal,d]) U _L)*, 

where d is the device that the client uses to access the journal. Assuming the license is labeled n, 
the property that the client is not obligated to access the journal immediately after paying the fee 
can be written as: 

pay n [fee] =4> 0(^Orender n [journal, ci]). 
The specification that the client doesn't violate the license can be written as the family of formulas: 

n : t □[(« =4> (Pa)) A {{Oa) => a)], 

where a £ {pay n [fee], render n [journal, d], _L n }. In other words, the client only does legitimate 
actions and does every action that is required by the license once it is issued. As a final example, we 
can write that, during one time period, the client pays $1500 on the mortgage m, but doesn't pay 
the journal fee as: 

Pay™ [1500] Apayjfee]. 



2.2 Semantics 

To formalize the intuitions given above, we base our semantics on the notion of a run. When 
defining a run, we make the standard assumption that time is discrete and can, in fact, be represented 
using nonnegative integers. A run r associates each time t with a pair (L, A), where L is the set 
of named licenses issued at that time (a named license is a pair (n, i) of a name n and a license 
£), and A is a function giving, for each license name n, an action A(n) performed by the client 
at that time (or _L if no action was performed with respect to n). Formally, a run is a function 
r : N — > p(Names x Lie) x Act Names such that no name is paired with more than one license 
throughout the entire run. Recall that Act Names is the set of all functions from Names to Act. Our 
approach imposes the restriction that, at most, one action per time per named license can occur. We 
do not need this limitation, but it simplifies the exposition. In essence, we are trading the ability 
to handle the class of licenses where a client must do multiple actions simultaneously for a simple 
definition of a license where concurrent actions are not handled. For notational convenience, given 
a run r and time t with r(t) = (L, A), we define lic(r, t) to be the set of named licenses issued 
in run r at time t, that is, lic(r, t) = L; similarly, we define act(r, t) to be the set of action and 
license name pairs performed in run r at time t, that is, act(r,t) = {(A(n),n) : n £ Names}. 

'Recall that Dtp means "ip holds now and at all future times", Qip means "ip holds at the next time", and p\ Up>2 
means "y>2 eventually holds and, until it does, ip\ holds". 
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Finally, we say that a license (n : t) is active at time t in run r if there exists a time if < t such that 

(n : £) G Zic(r, i') 

While a run captures the client's actions, an interpretation states what is permitted. Formally, a 
permission interpretation P is a function P : N — ► p(Act x Names) that is used to give a meaning 
to permissions. Intuitively, if (a, n) G P(t) then at time t, the client is permitted to perform action 
a with respect to license name n. In other words, the client is allowed to do an a n action. 

We want the interpretation of permissions to match the permissions implied by the run. To 
define this requirement formally, we first give a mapping that relates licenses to action sequences. 
We then use this mapping to find the permission interpretation that permits an action if and only if 
the run implies the permission. 

Following the lead of Gunter et al. [2001], we associate each license with a set of traces. In our 
discussion, a trace refers to a sequence of actions. 2 The notation s\ ■ s 2 denotes the concatenation 
of two sequences of actions si and s 2 where si ■ s 2 = s\ if s\ is infinite. A trace s\ is said to be a 
prefix of trace S2 if there is some trace s such that si ■ s = s 2 . 

We construct a function C\t\ by induction on the structure of a given license t. 

C\a\ = {a} 

£[h * 2 ] = {si ■ S2 : si G C\hl and s 2 G £[£ 2 ]} 

£piU£ 2 ] = £pi]U£[£ 2 ] 

nn = \J{si-...-s n : Si e £{£}}. 

n>0 

The function C\£\ gives the set of traces allowed by the license. We define the function T\i\ to pro- 
vide the infinitary version of the sequences corresponding to I, by essentially appending infinitely 
many _L actions at the end of each sequence. Formally, T\l\ = {s ■ _L°° : s E €■{£]}. Finally, a 
sequence of action s is said to be viable for I if s is a prefix of some trace in X\l\. 

We are now ready to define the interpretation P r corresponding to run r. Given a named license 
(n,£) issued at time t\ in a run r, the action-sequence of n up to time t2, denoted r[n,<2], is the 
sequence a^ai ■ ■ ■ a t2 _ tl -i such that: 

_ J a if (a, n) £ act(r, t\ + i) 
1 \ _L otherwise. 

Since we restricted a run to only allow one action per license per time unit, the notion of an action- 
sequence is well-defined. The interpretation P r corresponding to a run r is defined as follows. For 
all times t > 0, P r {t) is the smallest set such that for all license names n G Names and actions 
a <G Act, (J-,n) G P(t) if the license (n,£) is not active and (a,n) G P(t) if the license is active 
and r[n,t] ■ a is viable for I. 

To understand the meaning of an action expression, a, we need a way to associate it with name- 
action pairs. We do this by defining a mapping A{a} from expressions to sets of pairs. Clearly, 
an action expression (a, n) should be mapped to the pair (a, n). The complement action (a, n) is 
mapped to the set of actions different from a, but associated with the same license name n. Formally, 

A[{a,n)\ = {(a,n)} 
A{(a,n)} = {{b,n)\b^a}. 
2 Gunter et al. use the term reality for this concept, although their formal definition is different. 
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Contrary to intuition, we do not associate the complement of a name-action pair with the largest set 
of name action pairs that does not include it. This mapping has unfortunate consequences, because 
it ignores the intuitive independence between licenses. For example, it allows us to deduce that the 
client can do any action with respect to any license other than the mortgage, if the client is permitted 
to not make a mortgage payment. Statements concerning one set of licenses should not be used to 
deduce anything about any other license. 

As an example of our approach, recall the situation in which the client pays $1500 on the 
mortgage, but doesn't pay the journal fee. The action expressions a\ and «2 used to express these 
actions are pay m [1500] and -ipay n [fee], respectively. Applying the above definition, -4[qi] = 
{(pay[1500], m)}, and -4|ct2] = {(a, n) : a ^ payffee]}. Hence, the actions a.\ and Q2 mean that 
"the client is paying $1500 with respect to m and doing some action other than paying the fee with 
respect to n". 

We now define what it means for a formula p to be true (or satisfied) at a run r at time t, written 
r, t \= ip, by induction on the structure of p: 

r,t \= n : I if (n, I) £ lic(r, t), 

r,t\= a if 3(a, n) € AfaJ s.t. (a,n) G act(r,t), 

r,t\= Pa if 3(a,n) G A{a] s.t. (a,n) G P r {t), 

r,t\=Op if r, t + 1 |= ip, 

r, t \= Dp if for all if > t, r, t' \= ip, 

r,t\=pUtp if 3t' > t s.t. r, if \= ip and r, t" \= ip for all t" with if > t" > t, 

r,t\=-«p if r, t y= p, 

r, t \= p A ip ifr,t\=(p and r, t \= ip. 

If a formula p is true at all times in a run r, we say ip is valid in r and write r |= p. If ip is valid 
in all runs r, we simply say p is valid and write |= p. 3 

Various properties of permission (P) and obligation (->P(a, n)) follow from the above seman- 
tics. In particular, we can see that 0(a, n) is true in a run r at time t if and only if (a, n) is the 
only action-name pair in P r (t). In other words, an action is obligated if and only if it is the only 
permitted action. This is a consequence of the following proposition: 

Proposition 2.1: For all action expressions (a, n), the formula P(a, n) V P(a, n) is valid. 

3 In an earlier version of this paper [Pucella and Weissman 2002], we considered two related semantics for formulas, 
in the spirit of the logics presented by Halpern and van der Meyden [2001a, 2001b]. The first semantics, called the open 
semantics, was defined with respect to an arbitrary interpretation P. The second semantics, called the closed semantics, 
was defined from the open semantics by taking the minimal interpretation, as we do in this paper. Intuitively, the closed 
semantics assumes that the run contains all the information relevant to interpret the formulas. This is often referred to 
as the closed-world assumption. In other words, if a permission is not implied by the run, then it is not permitted. In 
contrast, the open semantics admits that the run may not encode all the information, and therefore one cannot infer that 
an action is not permitted simply because it is not implied by the run. 
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Hence, if P(a, n) is not true at a point, P(a, n) must be true. Another consequence of the above 
proposition is that 0(a, n) P(a, n) is valid. These properties show that our operators P and O, 
although defined exclusively from the traces of the licenses issues in a run, satisfy some of the clas- 
sical properties of deontic logic operators, as given for instance in [Follesdal and Hilpinen 1981]. 
These properties are a consequence of our prescribed semantics and, as such, suggest a certain deon- 
tic interpretation. In particular, the validity of 0(a,n) =4> P(a,n) indicates that obligation should 
be read as "must" and not as "ought". It also reflects the fact that we cannot express conflicting 
prohibitions and obligations in our framework. 

2.3 Encoding finite runs and licenses 

In this section, we show that any run can be "encoded" as a formula in our logic, provided that the 
run is finite. By finite, we intuitively mean that nothing happens after a given time, and each time 
instant, only finitely many licenses are issued and non-_L actions are performed. Formally, a run r 
is finite if there exists a natural number t f such that : 

• for all t < tj, lic(r, t) is finite, 

• for all t < tf, {n : (a, n) G act(r, t), a ^ _L} is finite, 

• for all t > tf, lic(r, t) = 0, and 

• for all t > tf, (a, n) G act(r, t) implies a = _L. 

For convenience, we write Q k tp for the formula O " " Ov 9 that has k occurences of the O 
operator before tp. Given a finite run r, define N r to be the set of license names issued in r. 
Formally, N r = {n : 3t,£.(n,£) G lic(r, t)}. Define 

A = Y>0 A Ol A 0^2 A • • • A O tf A f A O tf+1 ^e, 

where tf is the last time "something happened" in the run, is f\ neNr (-\-,n), and ip t , which 
encodes the state of the run at time t, is: 

ipt = f\ (a, n) A f\ n-.e. 

(a,n)£act(r,t) (n,i)&ic(r,t) 
n£N r 

Finally, let be the set of license names appearing in formula tp, defined in the obvious way. The 
following proposition formalizes the fact that ijj r captures the important aspects of the run r. 

Proposition 2.2: If r is a finite run and C N r , then r,t\=tpiff\=ip r ^- OV- 

It is interesting to note that ijj r does not specify explicitly the permissions implied by the run. 
Intuitively, this is because the information encoded in ijj r is sufficient for the permissions to be 
uniquely determined. To formalize this intuition, we show the more general result that issuing a 
license results in the client's actions implying a particular set of permissions. 

We use some notation from the theory of regular languages to formalize the general result. 
Specifically, we let e represent the empty action sequence and we extend the set of licenses to 
include and 1 where £[0] = and £{1} = {e}. We also define complementary functions 
S(£) and D a (£) where i is a regular expression. For any action sequence qq, a±, . . . , a n G C\£\, 
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S{£) is the set of actions containing ao and D ao (£) is a regular expression such that a±, . . . , a n € 
C\D ao {t)\. Formally, 5(0) = 0, 5(1) = 0, S{a) = {a}, S{h£ 2 ) = S(h) if e g" C{h] and 
Sih) U 5(^ 2 ) otherwise, S(h U £ 2 ) = U 5(£ 2 ), and S(r) = is called the 

Brzozowski derivative of £ with respect to a [Brzozowski 1964]. Its formal definition is: D a {a) = 1, 
D a (b) = 0, D a {£ x £ 2 ) = D a {£{)£ 2 if e £{£,} and (D (^i)^)U(D (^)) otherwise, D a (^U£ 2 ) = 
£> a (*i) U D (^ 2 ), and £>„(£*) = D a (^)£. 

Given these definitions, we inductively define a family of formulas for each named license 
(n, £). For any action sequence a^a\ ■ ■ ■ a n € C\t\, the formulas say that ao is permitted and if 
the client does the action sequence ao • • ■ aj_i, then the client is permitted to do aj in i time steps. 
Formally: 

= A p ( a > n ) 
</ = A ( p M A ((«>™)^o< DaW )). 

The following proposition formalizes the intuition that by issuing a license, we force the client's 
actions to imply a particular set of permissions. 

Proposition 2.3: For any license £, the formulas n : £ ip l n t are valid, for i = 0, 1, 2, 

Hence, if the formula Vv represents the finite run r in the sense of Proposition 2.2, then every 
named license (n, £) issued in run r will imply the formulas <p % n e , as per Proposition 2.3. Because 
the conjunction of the actions specified in ip r and the formula tp l n £ implies the permissions that 
hold for run r for i time steps, Proposition 2.2 is true even though ip r does not specify permissions 
explicitly. 

3 Satisfiability and verification 

In this section, we examine the complexity of reasoning using C hc and discuss a technique for auto- 
matically checking if a client behavior specification is satisfied in a given run. As we mentionned in 
the introduction, we are fundamentally interested in two classes of questions does a set of licenses 
have certain properties and does a client's actions with respect to a set of licenses meet particular 
specifications. The first question can be rephrased as "does a set of licenses imply a property, re- 
gardless of what the client does, which licences are issued, and when the licenses are issued?". In 
other words, the first question corresponds to asking if a formula in our logic is valid (i.e., true in 
all runs). The second question can be rephrased as "does a specification hold for a given sequence 
of client actions and licenses issued?" In other words, the second question corresponds to asking if 
a formula in our logic is true in a given run. 

To answer the first question, we investigate the complexity of our satisfiability problem (i.e. the 
problem of determining for any given C hc formula tp if there exists a run r and a time t such that 
r,t \= ip). We can reduce the satisfiability problem for our logic to the satisfiability problem for 
a "simpler" logic, Linear Temporal Logic (LTL), which is well-known in the formal verification 
community. LTL is essentially a propositional logic with temporal operators. To distinguish the 
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LTL operators from the temporal operators in C , we use CTL syntax for LTL. Specifically, an 
LTL formula F is defined as: 

F ::= p | F 1 A F 2 | ->F | XF | GF | FiUF 2 

where p is a primitive proposition, XF means that F holds at the next time, GF means that F 
holds now and at all future times, and F1UF2 means that F2 eventually holds and, until it does, F\ 
holds. Models for LTL are linear structures of the form M = (S, L), where S = {s , s\, s 2 , ■ ■ ■ } is 
a set of states and L assigns to every state in S the primitive propositions that are true in that state. 
The definition of the satisfiability of an LTL formula F in a linear structure M at state s, written 
M,s \=l F, is straightforward. We refer to [Clarke, Grumberg, and Peled 1999] for more detail. 
The key property of LTL that we will use is that the satisfiability problem for LTL is PSPACE- 
complete [Sistla and Clarke 1985]. 

It is straightforward to encode a formula F in LTL as a formula p in C hc in such a way that F 
is satisfiable if and only if p is satisfiable. Therefore, the satisfiability problem for C kc is PSPACE- 
hard. What is more interesting is that there is a polynomial reduction from the satisfiability problem 
for C hc to the satisfiability problem for LTL. At the heart of this reduction is a way to encode our 
logic into LTL. 

The first step of the reduction is to show that if a formula tp is satisfiable in C hc , then it can 
be translated into a satisfiable formula p T in LTL. We will do this directly, by showing that we 
can in fact transform the run r in which p is true into a linear structure M r in which p> T is true. 
Let $0 be the set of primitive propositions that we will use in our formula encoding, inclduing 
primitive propositions issued (n, £) for every name n and license £, and done (a, n), permitted (a, n) 
and obligated(a, n) for each action a and name n. 

Given a run r, we construct a linear model M r = (S, L) where S = {so, «i, «2, ■ ■ ■ }• For each 
state st, which corresponds to the run at time t, L(s t ) is defined as the smallest set such that: 

• if (n,£) G lic(r,t), then issued(n, £) G L(s t ), 

• if (a, n) G act(r, t), then done(a, n) G L(s t ), 

• if (a, n) G P r {t), then permitted(a, n) G L(st), 

• if(a,n) G P r {t) is the only action associated with license name n in P r (t), then obligated (a, n) G 

L(s t ). 

Given this structure M r , it should be clear how to translate a C hc formula ip true in r into a formula 
(p T true in M r . In particular, the following translation works: 

• (n : £) T = issued(n,^). 

• (a, n) T = done(a, n) and (a, n) T = -idone(a, n). 

• (P(a,n)) T = permitted(a, n) and (P(a,n)) T = -iobligated(a, n). 

• (p\ A p2) T = Pi A tpT and (^p) T = ■ 

• (Op) T = Xp T , (Op) T = Gp T , and {p 1 Up 2 ) T = pJVpl 
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It is straightforward to see that the above translations preserve the truth of the formula. In fact, 
something stronger holds, which will be useful later in this section: 

Proposition 3.1: r,t \= (p iff M r , s t \=l i P T - 

This means that if tp is satisfiable in our logic, then ip T is satisfiable in LTL. However, the converse 
does not hold. In particular, ip T may be satisfiable in an LTL structure that does not correspond 
to any run. We somehow need a way to restrict the LTL structures considered, to ensure that they 
correspond to runs in C hc . Intuitively, we need to account in LTL for the notions that are implicit 
in the C hc semantics. In particular, we must enforce our requirements that two actions are never 
done for the same license at the same time, two licenses are never labeled with the same name, an 
obligation implies exactly one action is permitted for the license, a client is only permitted to do 
actions other than _L for active licenses, and issuing a license implies various facts as discussed in 
Section 2.3. It is easy to state all but the last of these in LTL. 

Since we will only need to satisfy the above restrictions as they pertain to a given formula p, we 
enforce those restrictions over the actions, license names, and licenses appearing in (p. In general, 
let A be a finite set of actions, N be a finite set of license names, and L be a finite set of named 
licenses. The restriction that at most one action is done per license name per time is expressed by 
the following LTL formula Done^Ar: 

/ 



neN 



G /\ done(a, n) =4> /\ -> (done(a', nj) 



\ 



a' 



The restriction that a license name in N is never associated with more than one license in L is 
expressed by the LTL formula Issued^: 

/ \ 

G f\ issued(n,^)^ f\ G-(issued(n', £')) 
(n,e)eL y 



(n',i')eL 
n f =n 



J 



The restriction that obligation is an abbreviation for only being allowed to do one action with respect 
to a license is expressed by the LTL formula Ot>U,7v: 



aeA 



/ obligated(a, n) <3> 

permitted(a, n)A 
f\ ^(permitted(a', n))) 



V 



a'<=A 



) 



The restriction that a client can only do _L actions with respect to an unissued license is expressed 
by the LTL formula Unissuedi,: 

y\ (obligated(_L, n) U issued(n, I)) . 

(n,e)eL 

To state the consequences of issuing a named license (n, £), we first construct a nondetermin- 
istic finite automaton (NFA) that accepts the same language as £ (when £ is viewed as a regular 
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expression), and encode the transition relation of the automaton as an LTL formula. Formally, we 
construct the e-free NFA representing £ as A n = (Q n , A n , S n , F n ) where Q n is the set of states, 
A n is the transition function, S n are the start states, and F n are the final states. For convenience, we 
will write A n (q) for {a : 3q' G Q n -{q, a, q') G A n } and A n (q, a) for {q f : (q, a, q') G A n }. We 
assume that we have primitive propositions in <£ to represent the states of the automaton, namely 
instate(n, q) for all q G Q n , and a primitive proposition over(n) to represent the fact that we have 
stopped taking transitions in the automaton (for instance, because the client performed an action 
that was not permitted). The "effect" of taking a transition (from a finite set A of actions) in a state 
q of A n can be represented by the following LTL formula Trans^: 

instate(n, q) =4* 

( f\ (permitted(a, n))A 

aeA n (g) 

(done(a, n) =4> 
V X(instate(n,g')) > 

f\ (-ipermitted(a,n))A 

aeA 
a^A n (g) 

f\ done(a, n) X(over(n)) 



. aeA 

\ a^A n (q) 



) 



We also need a statement to the effect that the automaton A n can only be in one state at any 
given time, or in a state satisfying over. This is expressed by the following LTL formula States: 



over(n) [\ -iinstate(n, q) 
v qtQn f 

( instate(n, q) 



A 



A 

qeQn 



-iover(n) A f\ -iinstate(n, q') 



\ 



q'eQn 



I 



The encoding of the NFA A n is then expressed by the following LTL formula NFA^ ^, which 
asserts the initial states of the automaton, as well as encoding all the transitions, including the 
transitions from the states where over(n) holds: 

V instate(n, q) J A G(States)A 

\qes n J 

( A Trans^.gA \ 

G <?G<9n 

V (over(n) (obligated(_L, n) A X(over(n)))) / 

The restriction that issuing a license implies the consequences described by the corresponding 
NFA is therefore expressed by the LTL formula Lice a'- 



G l\ (issued (n,i) => NFA„ iM ). 
(n,e)eL 
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Note that the formula corresponding to the NFA construction guarantees that only the _L action is 
allowed for a completed license. 

We now associate with every C hc formula p the LTL formula p 1 that captures all the implicit 
restrictions required for our treatment of ip. Recall from Section 2.3 that represents the set 
of license names appearing in p. In a similar way, define A v to be the set of actions explicitely 
appearing in tp, and define to be the set of named licenses appearing in p (i.e., occurrences of 
the n : I formula). We take (p 1 to be: 

Done^,^ A lssued L¥ , A ObU^ A Unissued^ A l\c Llf>Aif - 

We can formally verify that the formula p 1 does indeed capture the implicit restrictions imposed by 
the semantics of C hc , as far as they pertain to formula p. We can show: 

Proposition 3.2: If M, s \=l p T A p 1 , then there exists a run r such that r, |= <p. 

Propositions 3.1 and 3.2 can be used to derive the following characterization of the complexity 
of the logic: 

Theorem 3.3: The satisfiability problem for C hc is PSPACE-complete. 

Since a formula ip is valid if and only if -up is not satisfiable, a corollary of Theorem 3.3 is that 
determining if a formula ip of our logic is valid is also a PSPACE-complete problem. 

It is much easier to answer our second question. The above discussion in fact hints at a suitable 
approach: we reduce the model-checking problem for our logic to one for LTL and then apply 
existing verification technology developed for LTL. More specifically, we translate the run (and 
associated minimial interpretation P r ) into a linear structure with a state for each time and atomic 
propositions for the licenses issued, client actions, permissions and obligation. 

We restrict our attention to finite runs, as defined in Section 2.3, because we want to give an 
algorithm for deciding if a formula holds in a given model. (In practice, we expect to have a de- 
scription of client behavior for a period of time and we want to establish permissions or obligations 
given that behavior; this can be modeled with a finite run.) The idea is simply to use the construc- 
tion of the LTL structure M r as given earlier, and use Proposition 3.1. The only problem is that 
the construction of M r assumes that we have the permission interpretation P r . To construct M r 
efficiently, we need a way to compute P r efficiently. For each named license (n, i) (finitely many 
by assumption), we construct an NFA that accepts the language represented by t. We associate a 
subset of the NFAs states with every time t after the license is issued. Specifically, the NFAs initial 
states are associated with the time when the license is issued. The states associated with any later 
time t + 1 is the set of states that can be reached by one transition from a state associated with time t. 
For every time t after the license is issued, the set of permitted actions P r , n (t) is the set of possible 
transitions from the states associated with t. Finally, for any time t, P r (t) is the union of P r ^ n (t) for 
all licenses named n issued by time t. This procedure constructs P r , n (t) in polynomial time with 
respect to the size of the run. 

Proposition 3.4: There exists a polynomial time algorithm for computing the interpretation P r 
corresponding to a finite run r. 

Combining the computation of P r from r with the construction of the model M r given ear- 
lier and applying known LTL model-checking techniques, model checking can be done reasonably 
efficiently, at least for a small specification p: 
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Theorem 3.5: There exists an algorithm for deciding if a formula (p is true in a finite run r at time 
t. Furthermore, the algorithm runs in polynomial time with respect to the size of the model r and in 
exponential time with respect to the size of the formula <p. 

A straightforward modification to the above procedure would allow us to check the validity of a 
formula ip in a run r (i.e., check that ip holds throughout the run). 

Proposition 3.6: r (= <p iff M r , s \=l G((p T ). 

Finally, note that the model M r is constructed without regard to the formula (p whose truth 
value we want to check. Therefore, we can construct M r once and use it to model-check different 
formulas, each translated to LTL, against the run r. 

4 Handling different license languages 

In discussing our logic thus far, we have assumed that the licenses are written in a regular language. 
Although a regular language has the benefits of being well-known, simple, and fairly expressive, 
it is not difficult to imagine settings in which another license language is more appropriate. A key 
feature of our logic is that it can be adapted in a straight-forward way to reason about licenses that 
are written in any language that has trace-based semantics. To illustrate this flexibility, we will 
modify our logic to handle the licenses presented in Gunter et al. [2001]. 

For ease of exposition, we consider a restricted version of DigitalRights [Gunter, Weeks, and 
Wright 2001]. 4 The syntax of licenses is given by the following grammar: 

e ::= (for p [ for [upto] m p) 

pay x (upfront | flatrate | peruse) 
for W on D 

where p is a period of time (a number of time units), £ is a payment amount, W is a subset of works 
and D is a subset of devices. The terms upfront, flatrate and peruse refer to the payment schedule. 
The upfront schedule requires payment at the beginning of the time period. The flatrate and peruse 
schedules require payment at the end of the time period. The difference between the two is that 
the payment for flatrate does not depend on the number of renderings, while the one for peruse 
does. If we let H be a payment schedule (upfront, flatrate or peruse), then a license of the form 
for p pay x H for W on D means that for the time period indicated by p, the client is required to 
pay x, according to schedule H, in order to render any of the works in W on a device in D. Instead 
of beginning with for p , a license can start with for m p. If the license starts with for m p, then the 
body of the license is valid for m time periods of length p, but can be canceled at the end of any 
period. 

As an example, consider the license 

for 3 100 pay 10.00 flatrate for W on D 

4 The original DigitalRights allows one to specify the time at which a client can activate a license. Roughly speaking, 
we could capture this in our model by adding license activation as an action. 
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where W is a set of works and D is a set of devices. This license allows the client to render any 
work in W on a device in D by paying a flat rate of 10.00 at the end of every 100 time units, for 3 
such time periods. 

We can incorporate this license language in our logic by replacing our syntax for licenses (£) 
with expressions in the above language. To define the function £[— ], which interprets licenses as 
sets of traces in the semantics of our logic, we adapt the semantics of [Gunter, Weeks, and Wright 
2001]. (The main difference is that we have a fixed time granularity, whereas the original semantics 
uses real numbers as time stamps for events.) 

To build up the function C\— ], we first assign sets of traces to the simplest licenses, those that 
are valid for a single period. The set of traces that allow for a payment of x to view works from W 
on devices from D, for a period of p time units depends on the payment schedule. The traces for an 
up front schedule is defined as: 

UpFront(x,p, W, D) = {pay[x]ai • • • a p _i | a« is either _L or renderftt;, d] 

for some w G W and d € D}. 

The traces for a flat rate schedule is defined as: 

FlatRate(x,p, W, D) = {ao ■ ■ ■ a p _2pay[x] | ai is either _L or render[ti;, d] 

for some w € W and d € D}. 

The set of traces for a per use schedule is defined as: 

PerUse(x,p, W, D) = {ao • • • a p _2pay[nx] | ai is either _L or render[tt;, d] 

for some w G W and d 6 D, 
and n = \{a>i \ a» / _L}|}. 

Given two sets of traces Si and S2, we define Si ■ S2 as the set {s\ ■ S2 \ s± G Si, S2 S S2}. In other 
words, S\ ■ S2 is the set of all concatenation of traces from Si and 5*2. We write S n for S ■ S ■ . . . ■ S . 

n 

Using the above definitions, we define the function £[— ] as: 

Clforpz] = M\z\{p) 
jC-lformpz] = (M\z\(p)) m 

m 

£[for upto m p z] = [j (M[z](p)) n , 

n=0 

where M{— ] generates the traces for a single time period: 

7W[pay x upfront for W on Dj(p) = UpFront(x,p, W, D) 
M [pay x f latrate for W on D] {p) = FlatRate (x, p, W, D) 
7W[pay x peruse for W on D\(p) = PerUse(x,p, W, D). 

As expected, the semantics of the logic defined in Section 2 carries over verbatim with the above 
changes. 

The DigitalRights language given above is not more expressive than the regular one that we 
introduced in Section 2. It is easy to see that for any license e in DigitalRights, the set of traces £[e] 
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can be expressed by a regular language. Because the sets Up Front (x,p,W, D), FlatRate(x,p,W, D), 
and PerUse(x,p, W, D) are finite for any p, x, W and D, it is trivial to express them using a regular 
language. The concatenation operation S± ■ S2 preserves regularity, as does union, therefore it is 
possible to express any license expressed in DigitalRights as a regular one. There are, however, 
advantages to using the DigitalRights language. The translation of a DigitalRights license yields a 
large regular expression that may be significantly less efficient to verify than the original license. 
Another benefit is that the DigitialRights language is easier to understand. 

It should be noted that every license language is not necessarily subsumed by the language of 
regular expressions. To see this, consider a license in some license language that can be canceled 
whenever the number of renderings equals the number of payments. The set of traces corresponding 
to such a license is not regular, by a well-known result from formal language theory (see for instance 
[Hopcroft and Ullman 1969]). Therefore, any language that can be used to state this license is not 
equivalent to any sublanguage of the regular expressions. 

5 Related work 

The inspiration for our work comes from the field of program verification, where one finds logics 
such as Hoare Logic [Hoare 1969] and Dynamic Logic [Harel, Kozen, and Tiuryn 2000] to reason 
about properties of programs. Our logic is similar to those, in the sense that our formulas contain 
explicit licenses, in much the same way that theirs contain explicit programs. Logics of this type are 
often referred to as exogenous. In contrast, endogenous logics do not explicitly mention programs; 
to analyze a program with such a logic, one builds a model for that specific program, and uses 
the logic to analyze the model. One advantage of using an exogenous logic is that it allows the 
behavior of two programs to be compared within the logic. In our case, it allows us to compare the 
effect of different licenses within the logic. An endogenous logic, however, permits more efficient 
verification procedures. To get this benefit, our verification procedures in Section 3 essentially 
convert formulas from our logic into formulas of an endogenous logic, viz. temporal logic. 

Although our logic is an exogenous logic inspired by Dynamic Logic, its models are quite 
different. In Dynamic Logic, programs guide the state transitions in the model. Licenses, on the 
other hand, do not affect states. Instead, they are used to specify permissions and obligations. The 
models of our logic are primarily influenced by the work of Halpern and van der Meyden [2001b] on 
formalizing SPKI [Ellison, Frantz, Lampson, Rivest, Thomas, and Ylonen 1999]. SPKI is used to 
account for access rights based on certificates received. Similarly, we base the right to do actions on 
the licenses received. In fact, we could imagine licenses being implemented with SPKI certificates. 

Permissions and obligations are key concepts in our approach. These notions are typically stud- 
ied in the philosophical literature under the heading of deontic logic [Meyer and Wieringa 1993]. 
Early accounts of deontic logic failed to differentiate between actions and assertions, leading to 
many paradoxical and counterintuitive propositions (see for instance [Follesdal and Hilpinen 1981]). 
The idea of separating actions from assertions has lead to a recasting of deontic logic as a variant of 
Dynamic Logic [Meyer 1988; Meyden 1990]. Models for deontic dynamic logics specify explicitly 
either which states represent the violation of an obligation or a permission or which transitions are 
permitted or forbidden. In [Meyer 1988], a special formula V is introduced in the logic, and any 
state that satisfies V is deemed a violation. Intuitively, an action a is permitted in a state if it is pos- 
sible to reach a state via a where V does not hold. Conversely, an action is obligatory if performing 
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any other action leads to a state where V holds. In [Meyden 1990], it is the transitions between 
states that are deemed permitted or forbidden. C hc is different from these approaches, because we 
derive our permissions and obligations from the licenses issued in the run. This indirection means 
that we do not have to explicitly model the permissions and obligations. In addition, we can easily 
change the model to account for different licenses. 

Finally, deontic logic has been used to reason about contracts. This is intriguing, because a 
license can be viewed as a restricted form of contract. Research in this direction includes work by 
Lee [1988], which focuses on developing a logical language based on predicate logic with temporal 
operators. Deontic operators are handled using a specific predicate to represent a violation (in this 
context, defaulting on a contract). Unfortunately, the logic is not meant to reason about contracts 
written in some language. Instead, the models for the logic represent the contracts to be analyzed. In 
other words, for each contract that he wants to study, Lee builds a specific model encoding violations 
at the appropriate states. 

6 Conclusion 

In this paper we have introduced a framework for precisely stating and rigorously proving properties 
of licenses. We also have illustrated how our logic can be modified to reason about licenses that are 
written in any language with a trace-based semantics. This flexibility provides us with a common 
ground in which to compare different rights languages with trace-based semantics. We intend to 
report on these comparisons in the future. While useful in its own right, the logic is a simple foun- 
dation on which more expressive rights management logics can be built. For example, the logic can 
be modified in a straightforward manner to support multiple clients and multiple providers. Multiple 
providers is an especially interesting case, because it allows us to study the management of licensing 
rights, the rights required for one provider to legitimately offer another provider's work to a client. 
We plan to examine various extension in the near future. There remain interesting questions about 
the foundation of C hc , such as axiomatizations for the logic. Finally, as mentioned previously, our 
operators P and O have a distinctly deontic flavor. It would be interesting to establish a correspon- 
dence between our approach and existing deontic frameworks, in particular deontic logics of actions 
[Khosla and Maibaum 1987; Meyer 1988; Meyden 1990]. 
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A Proofs 

Proposition 2.1: For all action expressions (a, n), the formula P(a, n) V P(a, n) is valid. 
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Proof: The validity of this formula is a consequence of the fact that P r (t) contains at least one 
action corresponding to every license name n. Given a run r and a time t, and consider the action 
expression (a, n). We know there must exist an action-name pair (b, n) in P r (t). Two cases arise. 
If a = b, then (a, n) is in both A{(a, n)] and P r (t), and thus r, t \= P(a, n). If a / b, then (b, a) is 
in both A{(a, n)] and P r {t), and thus r,t \= P(a, n). Therefore, we have r,t \= P(a, n) V P(a, n). 
Since the above holds for all r and t, \= P(a, n) V P(a, n). | 

Proposition 2.2: If r is a finite run and N v C A^, then r,t\=piff\=tp r => OV- 

To simplify the proof, we introduce the following notation. Given runs r, r', times t, t', and a 
subset N of Names, define (r, i) <a? {r',t r ) if for all i > 0, lic(r,t + i) C lic(r',t' + i) and 
(act(r,t + i) n (Aci x A")) = (aci(r', t' + i) n (Aci x AT)). Intuitively, (r, t) < N (r',t') if every 
license issued by r (starting at time t) is also issued in r' (starting at time t'), and moreover the 
two runs agree on the actions corresponding to license names in N. The following lemmas capture 
the relevant properties of the <n relation. Recall that is the set of license names appearing in 
formula <p. 

Lemma A.l: For any tp such that N v C N r , if (r, 0) <N r {r J , t'), then r,i \= ip iff r' ,t' + i \= if 
for all i > 0. 

Proof: By induction on the structure of ip. We prove the nontrivial cases here. Consider tp = n : £. 
If r, i \= n : I, then (n,£) G lic(r,i) C lic(r',t' + i), and hence r', t' + % |= n : I. Conversely, 
if r' , t' + i \= n : £, then since C iV r , license name n must appear in r, and by definition of 
(r, 0) <N r (r', t') and the fact that license names can be associated with only one license in a run, 
it must be the case that (n,£) G lic(r,i). Hence, r, % \= n : £. The cases for (a, n) and (a, n) 
follow from r and r' agreeing on the actions for license names n G C N r . For P(a,n) and 
P(a, n), because r and r' agree on the licenses issued with name n G ^ C N r , and because r 
and r' agree on the actions pertaining to license name n, P r and P r t agree on the permissions with 
respect to license name n, from which the result follows. The remaining cases are a straightforward 
application of the inductive hypothesis. | 

Lemma A.2: r',t' \= t/v W(r,0) < Nr {r',t'). 

Proof: We know by definition that r', t' \= ip r if and only if r' , t' \= ip , r',t' + 1 \= ipi, . . . , 
r',t' + tf \= ipt f > an d r,t' + t \= ip e for all t > tf. Given the definition of tpo, . . . , ip tf and ip e , this 
is equivalent to lic(r, 0) C lic(r', t'), lic(r,tf) C lic(r' , t' + tf), lic(r, t)=UC iic(r', t' + i) 
for t > tf, and moreover r(i) and r'(t' + i) agree on the actions pertaining to license names n G iV r 
for all i > 0. This just says that (r, 0) <Ar r (r', t')- I 

Proof: (Proposition 2.2) Note that r,t \= tp iff r, |= O* 1 / 3 - Thus, it is sufficient to show that 

r,0 \= tp iff |= Vv tp. 

First, assume that (r, 0) |= 99. Let r',t' be an arbitrary run and time. If r',t' \= tp r , then 
by Lemma A.2, (r, 0) <jv r (r',t'). Since C A^ r , Lemma A.l implies that r',t' \= p. This 
establishes that r', t' \= ip r =^> p. Since r', t' was arbitrary, |= ijj r =>■ 9? holds. 

For the converse direction, assume that |= i\) r In particular, r, |= Vr P- Since 

(j, 0) <Ar r (r, 0), Lemma A.2 implies that r, |= V'r, and hence r, |= tp. I 
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Proposition 2.3: For any license £, the formulas n : £ =>■ <p % n £ are valid, for i = 0,1,2, ... . 

Proof: The proof relies on a suitable application of standard properties of regular expressions, and 
much formal symbolic manipulation. We sketch the argument here. First, extend the definition of 
S to handle more than a single action. Let S k {£) (for k > 1) be the function that returns the set 
of all prefixes of length k of action sequences associated with I. Formally, S 1 ^) = S(£), and 
= {aa : a G S{i),a G S k (D a (£))}. 
Given this definition, we can verify that the formula ip 1 ^ is equivalent to p l ni A f % ^£ l+1 , where 

¥nT +1 is tne formu l a 

a / ((oo,n)AO(oi,n)A--- \ 

Let r, t be an arbitrary run and time. We show by induction that r, t \= n : £ =>■ tp % n t for alH > 0. 
Assume r, t \= n : £, that is, (n, £) G lic(r, t). The base case of the induction is verified by noticing 
that p° ni = Aaes(f) ^( a > n )' an(1 °y the definition of P r (t), for all a G S(£), (a,n) G -P r (i), 
so that r,t |= P(a,n). The induction step follows by a similar reasoning. Assume r, t \= p l nt 
Given the above equivalence, it is sufficient to show that r,t \= p l ^ +1 to establish the result. For 
any oo • • • a«+i G S l+2 (£), if r, t \= (ao,n) A 0(a>i, n) A ■■■ A O l (a>i,n), then r,t \= (ao,n), 
r,t + l \= (ai, n), . . . , r, t + i \= (a*, n). Since ao • • • Ojaj+i G S l+2 {£), it is viable for and hence 
(ai + i,n) G P r (t + i + 1), that is, r, t + i + 1 |= P(aj+i,n), or r, t |= Q t+1 P(ai + i, n), as required. 
Since this is true for all sequences in S' l+2 (£), we have r,t \= P % ^ +1 , establishing our result. | 

Proposition 3.1: r, t \= <p iff ' M T , s t \=l <£ T ■ 

Proof: We prove by induction on the structure of p that for all t, r, t \= p iff M r , s t \=l p T ■ We 
give a few representative cases here, the remaining cases being similar. 

Consider p = n : I. For any t, we have r, t \= n : £ iff (n, £) G lic(r, t) iff issued(n, £) G L(s t ) 
(by construction of L(s t )) iff M r , st issued(n, £). 

Consider p = P(a,n). For any t, we have r, t \= P(a,n) iff (6, n) G P r (t) for some b ^ a 
iff obligated(a, n) is not in L(st) (since (a, n) cannot be the unique action in P r (t)) iff M r , s t \=l 
-iobligated(a, n). 

Consider p = Op'. For any t, we have r, t \= Op 1 iff r, t + 1 |= iff M r , sj+i (v') T (by 
hypothesis) iff M r ,st\=L X(<//) T , and M^'V = ■ 

Proposition 3.2: Tjf M, s \=l p T A ip 1 , then there exists a run r such that r, |= ip. 

Proof: Without loss of generality, M = (S, L) with S = {sq, si, . . . }, and s = sq. (If not, s = s t 
for some t, and take M' = (S', L) where S' = {s t , s t+ i, . . . }, and we can check that M', s \=l 
(p T Ap 1 .) Construct the run r« as follows: for all t > 0, r^(t) = (Ljw(t), Am(£)), where Ljf(t) = 
{(n,£) : issued(n, £) G L(s t )}, and A^(t)(n) = a if done(a, n) G L(s t ), and = _L 

otherwise. This is a well-defined run, because M r , sq satisfies Done^A^ and Issued^. We next 
check that for all t > 0, P TM (t) = {(a, n) : permitted(a, n) G Ljvf(s t )}. The details are routine, 
if tedious. Essentially, every path through the automaton encoded in NFA^a corresponds to a 
viable trace of the license £ from the point where the license is issued. A straightforward proof by 
induction establishes that tm, |= <p. I 
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Theorem 3.3: The satisfiability problem for C is PSPACE-complete. 

Proof: For the lower bound, we show that we can reduce the satisfiability problem for LTL to 
the satisfiability problem for C hc . Let F be a formula of LTL, over primitive propositions 3>/ = 
{pi, ... ,p n }. We first rewrite F into a formula p>p of C hc , by picking an arbitrary non-_L action in 
Act (call it *) and a name n p for every p G $/, and replacing every primitive proposition p in F 
by the action expression (★, n p ), and replacing G, X, and U by □, Q, and U respectively. Assume 
F is satisfiable in a linear structure M = (S, L) at state Sj, where S = (so, si, . . . ). Let tm be 
the run defined by rjw(i) = (0, -^-(*))> where ^4(t) maps name n p to action * if p G L(st), and 
to L otherwise, and maps all other names to _L. It is easy to check that tpF is satisfiable in tm at 
time i. Similarly, if p>p is satisfiable in a run r at time t, we can convert r into a linear structure 
M r = (S, L), where p G iff (*, n p ) G aci(r, i), and it is easy to check that F is satisfiable in 
M r at state s t . Since the satisfiability problem for LTL is PSPACE-complete, the above reduction 
means that the satisfiability problem for C hc is PSPACE-hard. 

For the upper bound, we show that we can reduce the satisfiability problem for C hc to the 
satisfiability problem for LTL in polynomial time. In particular, we show that ip is satisfiable in C hc 
iff tp T A ip 1 is satisfiable in LTL. Let ip be a formula satisfied in run r at time t. By Proposition 3.1, 
M r ,st \=l <p T ■ By construction, it is clear that M r ,st \=l p 1 (only one action per license per 
time, no two licenses with the same name ever issued, and so on). Hence, M r , st \=l P T A p 1 . 
Conversely, assume that ip T A (p 1 is satisfiable in a linear structure M. By Proposition 3.2, there 
exists a run r such that r,0 \= p, i.e., p is satisfiable in C hc . Finally, one can check that the size of 
the formula p T A ip 1 is polynomial in the size of p. | 

Proposition 3.4: There exists a polynomial time algorithm for computing the interpretation P r 
corresponding to a finite run r. 

Proof: It is clearly sufficient to define P r for non-_L actions only, by taking _L to be the default 
value of P r . Let L r be the set of named licenses issued in run r. We define, for every named license 
(n,£) G L r , a function P r n that gives for every time t the set of actions permitted by the named 
license (n, £) at time t. Clearly, we can then take P r (t) = U( n £)gL r Pr,n(i). 

Consider a named license (n,£) G L r , and assume (n,£) is issued at time to in r - Let A = 
(Q, I, A, F) be the e-free NFA corresponding to the regular expression £, where Q is the set of 
states, / is the set of initial states, A is the transition relation, and F is the set of final states. We can 
construct A in time polynomial in the size of £, using [Hromkovic, Seibert, and Wilke 1997], where 
\Q\ is linear in the size of £ and |A| is less than quadratic. 

We can now define the function P r n . For t < to, we can take P r , n (t) = {L}. For t > to, 
we need to take the license into consideration. First, define the sequence of sets Sq,Si,... , S m -t 
where m is the length of run r. These sets represents the sets of states of the NFA obtained by 
following the actions related to license name n prescribed by the run. Formally, define Si inductively 
as: 

So = I 
SVfi = {V : (s, a, s') G A for some 

s G Si and (a, n) G act(r, to + i)}. 

With these sets, we define P rV n{to + i) = Uses i a : 3s'.(s, a, s') G A}, that is, the set of actions 
that can be performed according to license £ starting from any of the states in S{. One can check 
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that the sets Si can be constructed in polynomial time, and therefore that P r ^ n , and hence P r , can be 
constructed in polynomial time. | 

Theorem 3.5: There exists an algorithm for deciding if a formula <p is true in a finite run r at time 
t. Furthermore, the algorithm runs in polynomial time with respect to the size of the model r and in 
exponential time with respect to the size of the formula p. 

Proof: Given a run r, we can compute P r in polynomial time by Proposition 3.4, and construct the 
model M r in time polynomial in the size of r. We can translate tp into p T in time polynomial in the 
size of the formula. We use Proposition 3.1 to reduce the problem to the model-checking problem 
for LTL, which can be solved in time polynomial in the size of the M r and exponential in the size 
of p (see, for instance, [Vardi 1997]). | 

Proposition 3.6: r |= ip iff M r , sq \=l G((p T ). 

Proof: By definition, r |= ip iff for all times t, r,t \= ip. By Proposition 3.1, this holds iff for all 
states st of M r , M r , s t \= (p T , which just means that M r , sq (= Gip T . | 
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